Windows Services Vulnerable to Tampering Mitigation

Question

I am testing some software with Microsoft's Attack Surface Analyzer. I took a baseline and after installation scan of the software I am testing. When I create a report it shows that a certain service is vulnerable to tampering, See Picture Attached.

I have been researching about how to modify ACL(s) and ACE(s).

The service original ACL that I am dealing with is defined as follows: D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWD WO;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRS DRCWDWO;;;WD)

I have modified the original several times, including changing all the user groups to SU and BA and running the Attack Surface Analyzer again and it is still flagging it.

As it is right now I have modified it like so: D:(A;;CCLCSWLOCRRC;;;BU)(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWD WO;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRS DRCWDWO;;;WD)

I am thinking that the reason the service is still being flagged is the fact that the program running the service sits in the "C:\ProgramData" folder which to my understanding, all users have access to.

So in theory would changing the program that is running the service fix the issue? Or do I need to make different changing to service permissions?

Help with this will be extremely appreciated.

Answer 1

After much research, a lot of documentation reading, headaches, and no solutions found to my question I found the answer. It came down that the reason why it was being flagged is the path from where the service is started, not the service it self or it's permissions.

The ProgramData folder (replacement for the Application Data folder from Windows XP) was designed for a program's non sensitive data storage that is common to all users rather than using the Program Files folder.

Folders under the ProgramData folder are not meant to and not a safe place to start services from due to the permissions on those folders, hence the possibility of "Services Vulnerable to Tampering" being flagged.

I hope this helps someone in the future and feel free to chime in any extra information, the more the merrier.